Create the command value string when loading the dictionary and
assign it to the command code field when registering it. This
makes it behave like any other value_string for adding to a custom
column (allowing resolved and unresolved), etc.
It could be changed to use a wmem_array instead of a GArray, as is
currently done with the AVPs.
Fix#16833. (Note that solving the analogous issue for the AVP
code text is more complicated, since the interpretation depends
on the vendor ID.)
Passing a literal value to abs() on the LHS segfaults, because it
is incorrectly assumed to be a valid field.
We need to check if we actually have a field. While at it improve
the diagnostic of literals.
The following changes are part of this patch:
- Make signed integer for analog default
- Analog Sample Time 0 is reserved now
- Updating Data Flags TX for CAN, CAN-FD, LIN, FlexRay, UART
- Show Parity Bits of LIN
- Expert Warning, when FlexRay Header CRC overflows into reserved bits
This patch adds IDs and Names for:
- New UDS Services (0x29, 0x84, 0x86, 0x87)
- New ReadDTCInformation SubFunctions
- New Negative Response Codes
This patch does not dissection support for the new UDS Services.
There's some code intended to decode an older Internet Draft version
of Diameter, before December 2002. It's supposed to be set by an
obsolete enum preference, but due to a misunderstanding, it's
been dead code for the last 15 years. No one has complained in that
time, so instead of bringing the preference back and resurrecting
it, remove it and shrink the memory usage of the diameter dissector.
Related to #16833, as it will make adding the command code value
string simpler.
Register the data dissector to all dissector tables that support
Decode As. This provides a way to disable decoding for table
entries that have a default dissector registered to a value.
It is particularly useful when a dissector is registered by default
to several values (e.g. HTTP), to be able to disable decoding
for one port without disabling the dissector in general.
It is also useful to prevent payloads from being handed off
to heuristic dissectors, and is thus distinguished from the
fallback to data when no dissector is set. N.B.: that this has no
effect on dissectors that have a "Try heuristic sub-dissectors first"
preference set to TRUE.
It does not solve a second issue for table entries with a default
dissector - setting the dissector to "none" in order to force
payloads to be sent to heuristic dissectors without setting a
preference as above. (Note that in some cases one will wish to
send dissection on some ports to heuristics without enabling
heuristics first for _all_ ports.)
Fix#17518. Fix#15717. Related to #12098, which also needs the
last issue mentioned above addressed.
Non-blocking reads were used to workaround Windows pipe handle leaks.
Now that the underlying issue is fixed (i.e. Wireshark no longer leaks
child process stdin/stdout/stderr handles), we can use blocking reads.
Using blocking reads is the main performance improvement. Reading more
than one byte at a time gives additional 15% performance improvement (on
top of enormous speedup due to blocking reads).
Avoid stdin and stdout file descriptor race conditions by closing the
descriptors only after the respective threads exit.
dfvm.c:206:1: warning: no previous prototype for function 'dfvm_value_tostr'
dfvm.c:550:1: warning: no previous prototype for function 'filter_finfo_fvalues'
dfvm.c:645:1: warning: no previous prototype for function 'filter_refs_fvalues'
lpcre2.c:506:13: warning: no previous prototype for function 'luaopen_rex_pcre2'
lpcre2_f.c:207:5: warning: no previous prototype for function 'Lpcre2_config'
lpcre2_f.c:234:5: warning: no previous prototype for function 'Lpcre2_get_flags'
ftype-double.c:89:1: warning: no previous prototype for function 'val_unary_minus'
ftype-double.c:96:1: warning: no previous prototype for function 'val_add'
ftype-double.c:103:1: warning: no previous prototype for function 'val_subtract'
ftype-double.c:110:1: warning: no previous prototype for function 'val_multiply'
ftype-double.c:117:1: warning: no previous prototype for function 'val_divide'
ftype-integer.c:670:1: warning: no previous prototype for function 'uint_bitwise_and'
ftype-integer.c:677:1: warning: no previous prototype for function 'uint_is_zero'
ftype-integer.c:683:1: warning: no previous prototype for function 'uint_is_negative'
ftype-integer.c:689:1: warning: no previous prototype for function 'uint_unary_minus'
ftype-integer.c:704:1: warning: no previous prototype for function 'uint64_bitwise_and'
ftype-integer.c:711:1: warning: no previous prototype for function 'uint64_is_zero'
ftype-integer.c:717:1: warning: no previous prototype for function 'uint64_is_negative'
ftype-integer.c:723:1: warning: no previous prototype for function 'uint64_unary_minus'
ftype-integer.c:738:1: warning: no previous prototype for function 'sint_bitwise_and'
ftype-integer.c:745:1: warning: no previous prototype for function 'sint_is_zero'
ftype-integer.c:751:1: warning: no previous prototype for function 'sint_is_negative'
ftype-integer.c:757:1: warning: no previous prototype for function 'sint_unary_minus
ftype-integer.c:764:1: warning: no previous prototype for function 'sint64_bitwise_and'
ftype-integer.c:771:1: warning: no previous prototype for function 'sint64_is_zero'
ftype-integer.c:777:1: warning: no previous prototype for function 'sint64_is_negative'
ftype-integer.c:783:1: warning: no previous prototype for function 'sint64_unary_minus'
packet-bpv6.c:2182:1: warning: no previous prototype for function 'proto_register_bpv6'
packet-bpv6.c:2766:1: warning: no previous prototype for function 'proto_reg_handoff_bpv6'
packet-bpv7.c:1978:6: warning: no previous prototype for function 'proto_register_bpv7'
packet-bpv7.c:2037:6: warning: no previous prototype for function 'proto_reg_handoff_bpv7'
packet-realtek.c:349:1: warning: no previous prototype for function 'proto_register_realtek'
packet-realtek.c:436:1: warning: no previous prototype for function 'proto_reg_handoff_realtek'
packet-tcpcl.c:2147:1: warning: no previous prototype for function 'proto_register_tcpclv3'
packet-tcpcl.c:2211:1: warning: no previous prototype for function 'proto_reg_handoff_tcpclv3'
A "proto_tree_add..._ret_..." routine *must* return the value through
the pointer, even if no protocol tree is being built, as there's no
guarantee that a protocol tree will be built under all circumstances
(for example, if the dissection is only being done to generate the
column values, no column is a custom column, there are no coloring
rules, etc., so that none of the named field values are of interest, and
the protocol tree isn't going to be displayed, no protocol tree will be
built).
Fixes#18203.
packet-thrift.h:118:15: warning: parameter 'thrift_opt' not found in the function declaration
packet-thrift.h:119:15: warning: parameter 'is_field' not found in the function declaration
packet-thrift.h:121:15: warning: parameter 'field_id' not found in the function declaration
packet-thrift.h:122:15: warning: parameter 'hf_id' not found in the function declaration
packet-thrift.h:124:15: warning: parameter 'encoding' not found in the function declaration
packet-thrift.h:167:15: warning: parameter 'elt' not found in the function declaration
packet-thrift.h:169:15: warning: parameter 'seq' not found in the function declaration
Field 'File ID' (gsm_sim.file_id) has a conflicting entry in its value_string: 24380 is at indices 72 (DF.MExE) and 78 (DF.MexE)
Field 'File ID' (gsm_sim.file_id) has a conflicting entry in its value_string: 24384 is at indices 73 (DF.EIA/TIA-533) and 80 (DF.WLAN)
Field 'File ID' (gsm_sim.file_id) has a conflicting entry in its value_string: 20233 is at indices 194 (EF.EFSUPI_NAI) and 198 (EF.PBC)
Field 'File ID' (gsm_sim.file_id) has a conflicting entry in its value_string: 20234 is at indices 195 (EF.Routing_Indicator) and 199 (EF.PBC1)
All/any equal have their own symbols for operators so cannot
be handled in the same switch case.
Other comparisons don't have different symbols for any/all.
New vendor ID's up to june 22, 2022 have been added.
Decoding of the optional description field in BACnet SC BVLC's has been fixed.
Decoding of the exteded event parameters has been fixed.
It's possible for a dissector to claim a frame without adding to
the tree or being added to frame.protocols (see !6669)
Log a debug message showing the pinfo layers and the dissector that
claimed the tvb (frame/packet).
Add a function to get the column text of the nth column, taking
into account whether the column is resolved or unresolved. Use
this function in the GUI, as well as in tshark, when writing
PSML, exporting dissection to PSML, etc., instead of accessing
col_data directly.
This removes the direct accesses of col_data from outside
column.c and column-utils.c
Fix#18168.
Currently Wireshark does not close the vlans file on profile change.
This leads to major problems, when vlan resolution is turned on:
- Deleting a profile (not even selected) is not possible without exiting
Wireshark.
- Switching from one profile with vlans to another with vlans, does
not switch the resolution but stays on the names of the old profile!
This patch improves the uat config checking for SOME/IP:
- detecting simple endless loops
- better error output on faulty configs
- using uat resets to fix crash on faulty configs
When writing a custom column, some field types can't have a resolved
value, and just copy the label from the expression to the value.
Only copy information from the most recent field when doing so,
so that with multifield custom columns the entire unresolved value
doesn't get overwritten with the resolved value (if some fields
have resolved values and some don't.) This also reduces copying
from O(N^2) to O(N).
Fixes the display "unresolved" value for multifield custom columns
that are a mix of field types.
Custom column expressions do not need to be limited to COL_MAX_LEN.
The size of the expression does not have any necessary relationship
to the size of the column contents, especially in the common case of
many semantically equivalent different fields from different protocols,
only one of which appears in any given frame.
The only place that actually does limit the length of custom
custom expressions is in reading the preferences. Use a GString
instead of allocating a buffer to COL_MAX_LEN when constructing
the string. In normal cases, this should decrease temporary
memory usage. Fix#16905
For the top-level item for an extension, initially create it with a
length of "to the end of the packet" and, when we finish dissecting it,
set the length appropriately. That way, if the length is too large, we
don't throw an immediate exception, making it a little clearer what's
happending.
When dissecting an authentication extension, construct the text of the
top-level item as we dissect it, and initially create it with a length
of "to the end of the packet" and, when we're finished dissecting it,
set the length appropriately. That way, we don't throw an exception
before doing any dissection if the data for the item isn't all there, we
only throw an exception when we run out of data, and we also don't try
to add the data unless there is at least one byte of data.
The latter of those fixes#18181.
Switch to the name "Logray" for the log analyzer. Rays are biological
cousins of sharks and more people like the name "Logray" in a completely
unscientific survey here. Apologies for any inconvenience this might
cause.
proto_strlcpy in normal situations returns the number of bytes
copied (because the return value of g_strlcpy is strlen of the
source buffer). It can copy no more than dest_size - 1, because
dest_size is the size of the buffer, including the null terminator.
(https://docs.gtk.org/glib/func.strlcpy.html)
Returning dest_size can cause offsets to get off by one and reach
the end of the buffer, and can cause subsequent calls to have
buffer overflows. (See #16905 for an example in the comments.)
Several of the constant length string built in address types don't
check to see if the buf_len passed in is long enough to write
the string.
This can cause buffer overflows, e.g. with a custom column with
many FT_ETHER fields.
Allow checking if a slice exists. The result is true if the
slice has length greater than zero.
The len() function is implemented as a DFVM instruction instead.
The semantics are the same.
Port 45564 is not IANA registered for Apache. The heartbeat
messages all start with the same 8 character ASCII delimiter
string, so use that for heuristics.
This removes unparsed name resolution during the semantic
check because it feels like a hack to work around limitations
in the language syntax, that should be solved at the lexical
level instead.
We were interpreting unparsed differently on the LHS and RHS.
Now an unparsed value is always a field if it matches a
registered field name (this matches the implementation in 3.6
and before).
This requires tightening a bit the allowed filter names for
protocols to avoid some common and potentially weird conflicting
cases.
Incidentally this extends set grammar to accept all entities.
That is experimental and may be reverted in the future.
Treat all 4 octets of the control field as a single little-endian value
divided into bitfields. We already showed *some* subfields as
bitfields; this means we show *all* of them that way.
That makes the display more clearly show which bits in those octets
correspond to which fields.
It also fixes the dissection of the type field; we have separate
bitfields for I frames (1-bit bitfield) and S and U frames (2-bit
bitfield).
Use proto_tree_add_item_ret_uint() to fetch the values other than the
frame type value.
Fixes#18167.
Strengthen the DCP-ETSI (TS 102 821) heuristic from matching
two bytes to matching four bytes. Split the heuristic and
non-heuristic dissector pieces, and add the non-heuristic
dissector for Decode As.
KNX/IP has an IANA registered port, 3671, and some other ports commonly
used but unregistered (or registered to other services). It also has
no heuristics. Add a port range preference defaulting to the registered
port.
tplink-smarthome uses a port registered by IANA to another application.
At least add a heuristic; since the message is always JSON, we
can decode and test the first two characters.
USB 2.0/1.1/1.0 devices (or 3.x and newer when connected to hosts that
are not Super-Speed capable) operate at one of three speeds:
* Low-Speed (1.5 Mbps)
* Full-Speed (12 Mbps)
* High-Speed (480 Mbps)
Supporting speed specific linktypes allows speed specific dissection
without the need for user to manually set the speed.
After implementing RFC 7983, the STUN dissector will reject
DTLS and [S]RTP packets even in non-heuristic mode. Since
the dissector is more discriminating, it is safe to set
the conversation dissector after receiving any valid STUN
packet, not just specifically a TURN packet.
This makes dissection work better on some captures that have
some TURN ChannelData messages along with STUN packets in
the other direction, but lack the packets that set up the
TURN Channel. In turn, that allows the Decode As setting to
be configured for RTP, which has a weaker heuristic dissector
than STUN. Fix#18148.
Port the script that creates init.lua to Python3. The generated init.lua
removes one newline and adds another, otherwise the output is identical
to the Perl version.
Ping #18152.
Port the script that creates taps_wslua.c and taps.txt to Python3. The
generated taps_wslua.c has one less newline, otherwise the output is
identical to the Perl version. Make the "taps" configuration file an
ConfigParser / .ini file.
Ping #18152.
This code adds more robust handling of smaller issues with PTP messages,
like a missing 2-step flag of a not quite correct implementation of
802.1AS and improves 1-step support.
Changes:
- Handle 1-step syncs in analysis.
- Handle missing 2-step flag on pDelay more robust and warn in analysis.
- Handle missing F'up TLV in 802.1AS Sync more robust and warn.
Reject the previous reserved and unassigned TURN channels and
STUN methods restricted by RFC 5764 and RFC 7983 to allow
multiplexing of STUN with DTLS-SRTP (and ZRTP) on the same
addresses and ports. (As an exception, allow the special MS
Multiplex TURN channel value.) Earlier versions of the specs
had these as unassigned (or did not support TURN Channels), and
no implementation has used them.
This prevents the STUN dissector from claiming RTP packets
going to the same port as set for STUN by Decode As, and should
allow us to set the STUN dissector as the dissector for a conversation
on UDP if we see any STUN message, not just a TURN message type.
- Declare a separate type for the IPv6 TLV MAC address, otherwise its
filter key is `ieee1905.ipv4_type.mac_addres` instead of the expected
`ieee1905.ipv6_type.mac_addres` one which is confusing
- Fix label for `hf_ieee1905_ipv6_type_count` to read "IPv6 address count"
instead of the wrong "IPv4 address count"
- Parse the IPv6 link local address which appears between the EUI-48 and
the IPv6 address count in IPv6 type TLVs, without that, valid IPv6 TLVs
are wrongly parsed and reported as malformed
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
MS-IMPLEMENTATION-VERSION is not a duplicate of MS-VERSION, and
has a different interpretation. MS-VERSION is the version number
of MS-TURN, its values described in 2.2.2.17 of its spec, and
MS-IMPLEMENTATION-VERSION is the version of MS-ICE2, its values
described in section 3.1.5.2 of its spec.
The latter indicates whether the STUN message format must be that of
Internet-Draft behave-rfc3489bis-02 (that is, roughly the final
form of classic STUN, also used in MS-TURN) or whether that of
RFC 5389 is also supported.
HTTP chunked transfer encoding can have lots of chunks, and calling
the data dissector for each individual chunk adds a large number of
layers to the frame and doesn't really make sense. (As opposed to
calling the data dissector on the reassembled data if we can't handle
the content type, which does make sense.) In particular, this can
cause a failed assertion by adding more layers than
PINFO_LAYER_MAX_RECURSION_DEPTH.
Just add each data chunk as a FT_BYTES item. Fix#18130.
This adds support for using the layers filter
with field references.
Before:
$ dftest 'ip.src != ${ip.src#2}'
dftest: invalid character in macro name
After:
$ dftest 'ip.src != ${ip.src#2}'
Filter: ip.src != ${ip.src#2}
Syntax tree:
0 TEST_ALL_NE:
1 FIELD(ip.src <FT_IPv4>)
1 REFERENCE(ip.src#[2:1] <FT_IPv4>)
Instructions:
00000 READ_TREE ip.src <FT_IPv4> -> reg#0
00001 IF_FALSE_GOTO 5
00002 READ_REFERENCE_R ${ip.src <FT_IPv4>} #[2:1] -> reg#1
00003 IF_FALSE_GOTO 5
00004 ALL_NE reg#0 != reg#1
00005 RETURN
This requires adding another level of complexity to references.
When loading references we need to copy the 'proto_layer_num'
and add the logic to filter on that.
The "layer" sttype is removed and replace by a new
field sttype with support for a range. This is a nice
cleanup for the semantic check and general simplification.
The grammar is better too with this design.
Range sttype is renamed to slice for clarity.
Use "True" or "TRUE" instead of "true" and remove case insensivity.
Same for false. This should serve to differentiate booleans a bit
more from protocol names, which should be using lower-case.
This change fixes a segmentation fault core dump in tshark/Wireshark
when loading a pcapng file that contains the packet verdict option.
This problem got introduced in the commit mentioned below.
Fixes: 030b06ba3c ("pcapng: write packet and Netflix custom blocks the same as other blocks.")
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
This dissector is for the control messages of the GRE bonding protocol by
Huawei. These messages are encapsulated in GRE and can appear on both/all
bonding links.
During development, I made heavy use of traffic for Deutsche Telekom Hybrid
service. There fore, it also supports the first version which did not have an
IEEE assigned ethertype.
By adding signal aggregation the time to change profiles changed
dramatically. This is due to unregistering header fields being a very
slow operation and for aggregation each signal line did not lead to 2
but to 5 hfs.
Unregistering header fields for 150k signal example config (debug build):
- 3.6: 50s
- 3.7: 592s (9:52!!!)
This patch brings the time back to 50s, if no aggregation is configured.
Use host byte-order with AT_NUMERIC to make it more generic
and practical.
Change openSAFETY to pass addresses in host byte-order (the
previous code assumed they were in little-endian).
Plus a few cleanups.
The previous output was missing some fields under some conditions, and
some output text was wrong. This ended up in big confusion when looking
at the fields. Let's add the missing fields, fix the existing ones and
provide better formatting of the strings to understand which exact field
provides the info.
ETSI TS 24.380 section 8.2.3.4 specifies that:
"The <Reject Phrase> value is a text string encoded the text string
in the SDES item CNAME as specified in IETF RFC 3550."
This does not mean that SDES tipe and length files are necessary,
only applies in the enconding of the text string.
Make the default UI layout "packet list on top, packet detail and bytes
side by side". This is more space efficient on modern displays and is
the first thing I change when using the default profile.
After parsing a Topology Descriptor at the start of a request
or reply command, reset the left and right bracket counters
before going back to the top of the loop to parse the next
command, just like how done at the end of the while loop with
a normal command.
Prevents marking as malformed packets which have a Topology Descriptor
followed by a single command (e.g. Move) without any trailing
descriptors, and hence no more left brackets.
Add a numeric address type analog to StringZ for
protocols who only use numeric values as addresses
with no further handling.
e.g. IAT protocols which only enumerate the devices
Since the endpoint_by_id code uses elements and not the old
endpoint structure, it shouldn't set pinfo->use_endpoint to
TRUE when creating, and it should check if pinfo->conv_elements
is NULL, not pinfo->conv_endpoint.
Trying to parse LUS and LNS files if the protocol version
was "A1" led to them being marked as a malformed packets.
THis is because protocol version A1 LUS and LNS files do
not have the exception timer field. So to fix it, we check if
the protocol version is not A1, and only if it isn't do we try to
parse the exception timer field.
Because completed reassemblies are hashed in the reassembled_table for
all the frame numbers that contributed fragments,
fragment_get_reassembled_id() works wherever fragment_get_reassembled()
does, and also works where the fragment id is not the frame number.
However, since the reassembled_table hash key only depends on the
fragment id and the frame number, it only allows a frame to have
one reassembly with a given fragment id. Some protocols can have
more than one reassembly with a given fragment id (that differ on
addresses or other keys), such as GSM SMS, and the wrong reassembly
is retrieved on the second pass in those cases.
For this reason, we might want to add additional key elements to
reassembled_table, such as layer number. fragment_get_reassembled_id
already takes packet_info as a parameter and can accommodate that
without further changes, but fragment_get_reassembled cannot, so
remove the latter in favor of the former.